Video Screencast Help

(SEPM) More variables for AV/AS Exclusions

Created: 05 Aug 2009 • Updated: 29 Jan 2010 | 53 comments
Jeremy Dundon's picture
134 Agree
0 Disagree
+134 134 Votes
Login to vote
Status: Reviewed

The variable for the current user's profile (Documents and Settings...) is currently unavailable when creating file and folder exclusions in Centralized Exception policies.

I know that this variable exists, as many programs (Internet Explorer, Firefox et all) use it; It stands to reason that exclusions may need to be made there.

Comments 53 CommentsJump to latest comment

Scuba Steve's picture

why not just put in the full path?

0
Login to vote
Jeremy Dundon's picture

If I put in an exception for docs and settings\scuba steve\local settings\fun program.exe and zoidberg logs on, AV will still trigger on docs and settings\zoidberg\local settings\fun program.exe.

+7
Login to vote
Scuba Steve's picture

I see what you are saying now. Yes have the %userprofile% variable for our exclusions seems to be a pretty important option actually.

+7
Login to vote
Scott_Alexander's picture

I think adding a %userprofile% variable is critical

+5
Login to vote
AravindKM's picture

Good idea. In fact this is an urgent requirement.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

+6
Login to vote
gpickering's picture

Yes, this is a major oversight in an enterpise environment.

+3
Login to vote
Rafeeq's picture

Critical exclusion 

+2
Login to vote
HZS KV's picture

very important for our company...

+3
Login to vote
Scuba Steve's picture

I now have a customer with 10's of thousands of users that he needs to make an exception for in all of their profiles. This needs to be changed immediately.

Where is product management with this.

+4
Login to vote
Eradiani's picture

I have now 2 customers that really need exclusions for user's profile.  This is especially important on citrix/ESX/etc environments.

+3
Login to vote
csgops's picture

This is also critical for us, not just for centralized exceptions but also for firewall rules. Can we expect this anytime soon Symantec...?

+2
Login to vote
csgops's picture

This is also critical for us, not just for centralized exceptions but also for firewall rules. Can we expect this anytime soon Symantec...?

+3
Login to vote
Tech4RBH's picture

I have been asked to move to another security product.  This is going to effect a March roll-out we have scheduled.  Symantec support has given no work arounds for me to centrally exclude a directory from the %userprofile%.  Without this exclusion for all workstations, we can not longer use SEP.

+1
Login to vote
Kamil M's picture

I don't understand how this gets overlooked. There should at least be a way of excluding a specific filename without specifying a full path. That way I could exclude certain files from being scanned from user profiles.

+4
Login to vote
Pray4u's picture

Is there anything done regarding this in RU6a?

0
Login to vote
Mick2009's picture

Adding some food for thought to this thread:

Symantec's white paper on Terminal Servers makes mention of profiles.  The full .pdf can be downloaded from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008112414453348 

"Some server administrators may wish to exclude their users roaming profiles and/or “My Documents” folders from being scanned for security risks. While this will improve performance, Symantec would not recommend this approach – in practice this is generally the location in which security risks are discovered."

Thanks and best regards,

Mick
 

With thanks and best regards,

Mick

0
Login to vote
Oivin's picture

I have several customers on Citrix that would be happy for this, even though Symantec does not recommend it. For many customers, it would be important to exclude directories like m:\documents and settings\%username%\Application Data\<application>\<subfolder>.

So, I would not only want the %userprofile% variable, but also %user%.

 

+1
Login to vote
Altair's picture

We are also looking to exclude subdirectories of the users' folders, namely My Documents.  This seems like it should be a simple fix and could be released with a patch.  Shouldn't it be up to the admins to decide what is secure for their network?

+1
Login to vote
jlavin's picture

i totally agree with you Altair.  Give us the option!!!

0
Login to vote
remargable's picture

And while they're at it, maybe Symantec could include some other filters they have built into their Backup Exec product?

for example:

%temp%  %wintemp%  %webtemp%  %recycled%  %currentuserprofile%  %currentusermydocs%

0
Login to vote
offroadaaron's picture

Has anything happened about this? I need some exceptions for folders and files within roaming profiles.

0
Login to vote
Bored Silly's picture

The cache of a graphical medical application resides under the Application Data (XP) or AppData folder  (Win7) and we need to exclude it for some 15,000 users on 10,000 machines.  Either SEP needs to add the functionality for all Windows OS variables as Oivin mentioned above or at least add the Current User profile to the list.  I suggest allowing all Windows variables but will settle for Current User.  Thanks!

0
Login to vote
Bored Silly's picture

This thread is also pushing for something similar but has less votes.  I'm voting for everything hoping to get the developers attention:

https://www-secure.symantec.com/connect/idea/centr...

0
Login to vote
captainflannel's picture

We have an application which creates a folder structure inside each user temp folder.  We are experiencing performance issues and it is recommended by the applictation vendor to exclude this temp folder from all Virust Scanning.  How are we able to provide a solution?

+1
Login to vote
Christoph Meier's picture

Hi,

I use the version SEPM 12.1.671.4971

How to exclude a directory like "c:\documents and settings\%username%\temp" ?
How can i define custom prefix variable ?

Thanks and best regards, Christoph

0
Login to vote
Paul Murgatroyd's picture

We are looking into what we can do here.

%USERPROFILE% is actually harder to implement than you would think, as it means every time the user logs on we would have to dynamically enumerate the user and create the exception.  Then, what happens when there is no user logged on, but scans and AV are still running?  This gets even more interesting when you understand that our drivers are kernel based, so we need user mode code to help us determine what %USERPROFILE% is.

We believe the better route forward here is to use wildcards in pathnames.  So, for example, C:\Users\*\Temp would match any user profile on the server or client, whether they are logged in our out.

thoughts?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

+5
Login to vote
w-d's picture
0
Login to vote
rhophi's picture

that is a great idea, however it doesn't appear to be supported in SEP 12.1 RU1, yet.  any idea if this actaully giong to be implemented?

0
Login to vote
gbb's picture

I would like to add my support of the wild card idea.  Just upgraded to 12.1 RU1 MP1 (12.1.1101.401) and still don't see any option for this. 

0
Login to vote
Shawn T.'s picture

Paul, I completely agree with the wildcards in exceptions. This would avoid the issue that %USERPROFILE% doesn't exist until a user logs in. There is even another idea post for wildcards. I'm not sure if supporting regular expression would be preferred, but certainly the use of * and ? would be most useful.

0
Login to vote
Joe FW's picture

I thing Paul M's comments are correct about wildcards.

We will need this functionality or some other work around for the exception process in SEP 12.

I am not going to sugar coat it, deficiencies like this are the reason we only signed a 1 extension

with Symantec.

0
Login to vote
Dunkers's picture

I've just started rolling out the 12.1 client and it's picked up one app's DLL's as problem files.  The location is in the user profile's folders.  I have a few hundred people that this is affecting and can't add an exception for each user as that's totally absurd. 

Until Symantec take a look at the files and OK them, this is indeed a critical issue.

 

The wildcard idea looks good, as long as there's a way to put a path in that covers all the subfolders in a userprofile then I'd be happy.  smiley  <-  it's a face and it's happy

+1
Login to vote
Yahya's picture

 

 

I think Wildcard won't be implemented due to restriction from Java, which SEPM is using

 
 

0
Login to vote
Lawson Poling's picture

Yahya - That's kinda funny. SEP uses Java but every day I see the firewall blocking Java download requests from the Java application. At first I was suspicious of the firewall activity but it looks to me like Java auto updates cannot run because the file downloads are blocked. I can imagine someone at Symantec saying, "The client will be okay. It'll download the Java update and everything will be fine."

BUT, that's not why I'm here.

We need the ability to block variable filenames like BITxxx.tmp, WITHOUT a specific path, so SEP will stop tagging our SCCM downloads as malicious. Apparently the scanning technology doing this is Suspicious.Cloud

Comments?

0
Login to vote
Shawn T.'s picture

Lawson, you may want to look at configuring a trusted web domain. Please create a new thread or case if you still need help with this.

Excluding a  trusted Web domain from scans: http://www.symantec.com/docs/HOWTO55211

0
Login to vote
Jimmy Noel's picture

Does anybody know, if and when exceptions with wildcards are possible?

We need to exclude one foldername (on any drive, any subdir, any junction).
Till now, we have to enter every possible absolute path.

0
Login to vote
bjam's picture

Our document management system recommends excluding a specific folder that is created in the %userprofile% temp directory. If the exclusion is not setup it could result in document corruption. We need a way to exclude this folder. Is there any changes or updates to this issue?

0
Login to vote
Yahya's picture

 

 

It is still not possible. You can exclude the whole "users" folder. We had the same issue with Citrix and profiles, and that's was the only way unfortunately.

 
 

0
Login to vote
dwarfsoft's picture

I'd also like to point out that another Symantec Product, Enterprise Vault, requires User Profile based exceptions.

http://www.symantec.com/business/support/index?page=content&id=TECH48856&actp=search&viewlocale=en_US&searchid=1301941173643

Windows XP: %HOMEPATH%\Local Settings\Application Data\KVS\Enterprise Vault\<STOREKEYDIR>
Windows 7: %USERPROFILE%\AppData\Local\KVS\Enterprise Vault\<STOREKEYDIR>

Considering that both SEP and EV are owned by Symantec I'm a little surprised there isn't a solution for this already.

 

0
Login to vote
awatcha's picture

We are using a specific application (Connectwise) that needs to have a folder in the exceptions:

%userprofile%\AppData\roaming\Connectwise

It seems that the current workaround is to add the folder c:\users as an exception, is there another method?  Sounds like add the whole c:\users folder would be a pretty big security risk.

 

0
Login to vote
MichaelB 2's picture

I'm in the same situation like Bjam above. I need to configure an exception in %userprofile%\TEMP for our document managament system.

Fully agree to Pauls idea of implementing wildcards. Any idea what the current status is? I don't see this being implemented in 12.1 RU2. 

0
Login to vote
bjohn's picture

It's a shame that this hasn't been fixed yet. Stupid Symantec.

0
Login to vote
cus000's picture

Someone gets angry.... anyway i support this idea

0
Login to vote
Bryon's picture

Having the option of using a Windows path variable just makes since.  Everytime I run into this issue I'm surprised it hasn't been added.  I can't vote thumbs up enough times on this to let you know how important I think this is.

+1
Login to vote
droid's picture

This feature definitely needs to be added. We are in the process of rolling out a reporting system that has a very specific set of exceptions we must add.

One of the exceptions we need to add looks like this: C:\Users\<Windows USER_ID>\AppData\Roaming\reporting_program\etc

Essentially each user that runs the program gets this folder created in their appdata folder. We need to be able to exclude only that program's folder within each user's appdata folder. The only way around this currently is to exclude the entire C:\Users directory which is completely unacceptable.

 

EDIT:

I should also mention that this program is essential for patient care. We absolutely need it to work properly, so if there isn't a way to get the exceptions working we might just have to look into a different product.

0
Login to vote
bjohn's picture

This thread is almost three years old. Good luck in getting Symantec to implement this idea. Might as well find another product.

+1
Login to vote
Ruiz's picture
Numéro de dossier 05113955
 
Bonjour, 
 
J'ai rencontré aussi un problème de déploiement de règle d'exception sur le profil utilisateur des postes clients de mon réseau (50 machines) depuis la console serveur Symantec.
 
Résultat, j'ai dû déployer ma règle d'exception manuellement.
 
Je gère 50 pc et cela m'a fait perdre beaucoup de temps.
 
C'est inacceptable que le service de développement de Symantec ne réagit pas sur le problème.
 
Avoir un antivirus réseau pour déployer ses stratégies utilisateurs manuellement sur chaque poste. Je pense que l'année prochaine j'opterais pour des solutions antivirus workstation.
 
Je plaisante et j'espert que le service de développement du produit travaillera rapidement sur le problème.
 
Cordialement RC
 
____________________________________
 
 
Case number 05113955
 
Hello,
 
I also encountered a deployment exception rule on the user profile of the client computers on my network (50 machines) from the Symantec server console.
 
As a result, I had to deploy my exception rule manually.
 
I manage 50 pc and it made me lose a lot of time.
 
It is unacceptable that the development department Symantec does not react to the problem.
 
Having a network to deploy antivirus users policies manually on each workstation. I think next year I would opt for antivirus solutions workstation.
 
Just kidding and I espert the service product development work on the problem quickly.
 
Regards RC
 
 
0
Login to vote
Pradeepb's picture

Hi,

Another important part of exclusion is reporting; currently there is no report which will show that what is excluded for endpoints.  Audit point of view it is critical requirement. 

Thanks,

Pradeep

0
Login to vote
dsmith1954's picture

We have a .NET app that puts files in the user directory, and SEP flags it as unknown and quarantines it. We need to be able to make this exclusion. Also, we have files that are downloaded from the local intranet to update another application, but without this exclusion, Download Protection always quarantines the file. The only way around this so far is to lower the setting for Dowt nload Protection, but that kind of defeats the purpose of Download Protection, doesn't it.

0
Login to vote